Head-scratching

I work for a company with a rather complicated setup, using several trusted third party companies and sole traders. The company is entirely reliant on its database - and so we're obviously very keen to get the GDPR changes done correctly!

I have three really important questions that I cannot get my head around:

1. In the privacy policy, do we now need to mention all of the processors, or is it enough to mention the company where the controller is employed? We have people working on behalf of the company to provide the service we provide, but we never share data with third-parties without additional consent from members (and it's surprising how many do agree).

2. We don't have an open membership - customers apply for membership and then we accept/reject based on a number of factors according to our requirements at the time. When we have a rejection, are we able to keep the data for a certain period of time, so that the user does not simply reapply? We would only need the email address in order to achieve this, and the data would only be processed in the sense that the list would be checked against at the registration phase.

3. We occasionally have to 'ban' members. Are we again able to keep some data for a certain period of time so that we can stop them reapplying for membership?

The complexity of your setup (which is unknown) makes it very difficult to be certain about this information. Nevertheless I hope this helps.

Looking at your question 1, a privacy policy is not a required document, although it is useful. But there is information you are required to tell data subjects, probably members in your case. This information is detailed in Article 13 of GDPR. Point 13.1.e says data subjects must know "the recipients or categories of recipients of the personal data", so yes you will need to give data subjects some information to satisfy this requirement. While I am a bit confused about how you are talking about 'controllers' being employed by companies, Article 13 will tell you what you should tell data subjects.

Turning to question 2, an email address is personal data under the definitions of GDPR, it is an 'online identifier' intended to identify a single natural person. So if you plan to keep someones email address for any purpose, you need to tell them about it, and also all the Article 13 information. The idea of keeping an email address to speed your process of refusing membership though, while I can see it's attraction for you, I struggle to imagine the data subject will see the upside of this. You may still do so, but you run the risk of alienating your prospective members, not just the ones you refuse.

Question 3, as the data controller, you can decide what data to process, and for how long to do so, but you may be called upon to answer for your decisions. You can, if you choose, retain personal data as a list of banned members. Data subjects also have rights, including the right to access, and the right to erasure (to be forgotten). These rights are not absolute, but again, you may be called to answer for your decisions. If you choose to keep this data you should be very clear about the purpose of processing, which is to maintain a 'ban list'. You should never use this data for any other purpose.

However you proceed, you should document your thinking and decisions. Above all you should say what you are doing, and do what you are saying.